Hacking Facebook Accounts with just a phone number through the SS7 protocol

Hacking Facebook Accounts with just a phone number is possible, experts from Positive Technologies demonstrated it exploiting flaws in the SS7 protocol.

Hacking Facebook accounts by knowing phone numbers it is possible, a group of researchers from Positive Technologies demonstrated it.

“Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.” reported a blog post published on Forbes.

The hackers exploit a flaw in the SS7 protocol for hacking Facebook accounts just by knowing a victim’s phone number. The technique allows bypassing any security measure implemented by the giant of the social networks.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

The security issue in the SS7 signalling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

The team of researchers from Positive Technologies is the same that recently demonstrated how to hack WhatsApp and Telegram accounts by leveraging on the SS7 protocol.

The attack method devised by the experts from Positive Technologies works against any service that relies on SMS to verify the user accounts, including Gmail and Twitter.

Hacking Facebook accounts is a reality, the attacker first needs to follow the “Forgot account?” procedure by clicking on a link present in the Facebook homepage. At this point, when asked for a phone number or email address belonging to the target account, the hacker needs to provide the legitimate phone number.

At this point, the attacker can exploit the flaw in the SS7 to hijack the SMS containing a one-time passcode (OTP) that is used to log in the target’s Facebook account.

Give a look to the Proof-of-concept video published by the researchers:

Hacking Facebook accounts is possible only if users have registered a phone number and have authorized Facebook Texts.

To protect your facebook account do not link your phone number to social media sites, instead use emails for the recovery process. Always enable two-factor authentication that uses email instead SMS texts for receiving passcodes.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.